fix CVE-2022-3650
This commit is contained in:
wangzengliang1
parent
ef7e94a7f2
commit
6a15e33bc4
75
0010-fix-CVE-2022-3650.patch
Normal file
75
0010-fix-CVE-2022-3650.patch
Normal file
@ -0,0 +1,75 @@
|
||||
From f4035e49ee4745cd384d48a2334be793ce8df461 Mon Sep 17 00:00:00 2001
|
||||
From: wangzengliang1 <wangzengliang1@huawei.com>
|
||||
Date: Mon, 5 Dec 2022 15:10:45 +0800
|
||||
Subject: [PATCH] fix
|
||||
|
||||
---
|
||||
src/ceph-crash.in | 28 ++++++++++++++++++++++++++--
|
||||
1 file changed, 26 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/ceph-crash.in b/src/ceph-crash.in
|
||||
index c549dc1..ad5823e 100644
|
||||
--- a/src/ceph-crash.in
|
||||
+++ b/src/ceph-crash.in
|
||||
@@ -3,8 +3,10 @@
|
||||
# vim: ts=4 sw=4 smarttab expandtab
|
||||
|
||||
import argparse
|
||||
+import grp
|
||||
import logging
|
||||
import os
|
||||
+import pwd
|
||||
import signal
|
||||
import socket
|
||||
import subprocess
|
||||
@@ -45,7 +47,8 @@ def post_crash(path):
|
||||
stderr=subprocess.PIPE,
|
||||
)
|
||||
f = open(os.path.join(path, 'meta'), 'rb')
|
||||
- stdout, stderr = pr.communicate(input=f.read())
|
||||
+ (_, stderr) = pr.communicate(input=f.read())
|
||||
+ stderr = stderr.decode()
|
||||
rc = pr.wait()
|
||||
f.close()
|
||||
if rc != 0:
|
||||
@@ -80,7 +83,25 @@ def handler(signum, frame):
|
||||
print('*** Interrupted with signal %d ***' % signum)
|
||||
sys.exit(0)
|
||||
|
||||
+def drop_privs():
|
||||
+ if os.getuid() == 0:
|
||||
+ try:
|
||||
+ ceph_uid = pwd.getpwnam("ceph").pw_uid
|
||||
+ ceph_gid = grp.getgrnam("ceph").gr_gid
|
||||
+ os.setgroups([])
|
||||
+ os.setgid(ceph_gid)
|
||||
+ os.setuid(ceph_uid)
|
||||
+ except Exception as e:
|
||||
+ log.error(f"Unable to drop privileges: {e}")
|
||||
+ sys.exit(1)
|
||||
+
|
||||
+
|
||||
def main():
|
||||
+
|
||||
+
|
||||
+ # run as unprivileged ceph user
|
||||
+ drop_privs()
|
||||
+
|
||||
# exit code 0 on SIGINT, SIGTERM
|
||||
signal.signal(signal.SIGINT, handler)
|
||||
signal.signal(signal.SIGTERM, handler)
|
||||
@@ -96,7 +117,10 @@ def main():
|
||||
|
||||
log.info("monitoring path %s, delay %ds" % (args.path, args.delay * 60.0))
|
||||
while True:
|
||||
- scrape_path(args.path)
|
||||
+ try:
|
||||
+ scrape_path(args.path)
|
||||
+ except Exception as e:
|
||||
+ log.error(f"Error scraping {args.path}: {e}")
|
||||
if args.delay == 0:
|
||||
sys.exit(0)
|
||||
time.sleep(args.delay * 60)
|
||||
--
|
||||
2.13.0.windows.1
|
||||
|
||||
@ -125,7 +125,7 @@
|
||||
#################################################################################
|
||||
Name: ceph
|
||||
Version: 16.2.7
|
||||
Release: 10
|
||||
Release: 11
|
||||
%if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler}
|
||||
Epoch: 2
|
||||
%endif
|
||||
@ -152,6 +152,7 @@ Patch6: 0006-ceph-volume-decrease-number-of-pvs-calls-in-lvm-list.patch
|
||||
Patch7: 0007-bluestore-use-direct-write-for-bdevlabel.patch
|
||||
Patch8: 0008-enable-sw64-architecture.patch
|
||||
Patch9: 0009-fix-CVE-2022-0670.patch
|
||||
Patch10: 0010-fix-CVE-2022-3650.patch
|
||||
%if 0%{?suse_version}
|
||||
# _insert_obs_source_lines_here
|
||||
ExclusiveArch: x86_64 aarch64 ppc64le s390x
|
||||
@ -2492,6 +2493,9 @@ exit 0
|
||||
%config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
|
||||
|
||||
%changelog
|
||||
* Mon Dec 5 2022 wangzengliang <wangzengliang2@huawei.com> - 2:16.2.7-11
|
||||
- fix CVE-2022-3650
|
||||
|
||||
* Tue Nov 15 2022 wangzengliang <wangzengliang1@huawei.com> - 2:16.2.7-10
|
||||
- keep the ceph.spec align with native community
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user